Risk analysis:The office uses a risk-assessment process to identify and prioritize functional areas needing audit attention, and to allocate Internal Audit staff resources. Each year audit management evaluates top risk areas and determines which should be included in the annual audit plan, which is normally finalized in February or March of each year after approval by the Internal Audit Committee. High-risk areas and management requests routinely receive highest priority.

Special projects:These projects are audits or investigations conducted upon request as resources are available.

What is the difference between internal and external auditors?

Internal auditors are employees of the organization, while external auditors, such as the Office of the Auditor's General, are not. Internal and external auditors coordinate to minimize duplication of work.

Who audits the auditors?

Every three years a team of external auditors conducts a Quality Assurance Review as required both by our legislation and the Institute of Internal Auditors.

What happens during an audit?

Engagement letter: This letter states the objectives of the audit, the start date and key audit staff. It is sent to the appropriate permanent secretary and head of department. Auditees are normally notified in writing when their area is selected for an audit; however, due to the nature of some audit work, the office may give little or no notice.

Opening meeting: Depending on the type of audit and amount of audit work planned, an opening meeting with the head of the department and/or executive staff may be held to discuss the purpose and scope of the audit.

Audit work: Most audits involve two or three audit staff. Auditors review departmental records and interview department personnel. The department director or supervisor is responsible for ensuring that all pertinent data are made available. Auditors try to arrange meetings in advance and to work around scheduling conflicts. The duration of the audit will vary depending upon its scope; it could take anywhere from a week to several weeks. Any expansion of audit scope or time is communicated to the director or supervisor.

Communicating results: Auditees are given draft findings to review before the formal audit report is issued. Internal Auditing staff are available to discuss audit procedures, findings and recommendations. More serious findings, such as material internal control weaknesses or suspected illegal acts, are immediately brought to the attention of both the Accountant General, and the Auditor General.

Closing meeting: Closing meetings are held for each audit engagement to resolve any questions or concerns the auditees may have about the findings, resolve any other issues before the final audit report is issued, and solicit management's response. Management is typically given two weeks to submit written responses to audit findings and recommendations. These responses are included in the formal audit report.

Formal audit reports: A formal written report is issued for each audit engagement. Special findings may be reported by memoranda.

Follow-up audits: Audits are held six to 12 months after the original audit to assess corrective action taken by management to address audit findings. These audits continue until all audit recommendations are resolved. An audit recommendation is considered to be satisfactorily resolved if one of the following occurs:

management implements the audit recommendation,

management implements an alternative measure with the desired result of the audit recommendation,

or

management declines to implement the recommendation and accepts the resulting risks.

Follow-up findings and recommendations are reported in the same manner as regular audit results.